WO2005013558A1 - Authentication method for medic gateway - Google Patents

Authentication method for medic gateway Download PDF

Info

Publication number
WO2005013558A1
WO2005013558A1 PCT/CN2003/001069 CN0301069W WO2005013558A1 WO 2005013558 A1 WO2005013558 A1 WO 2005013558A1 CN 0301069 W CN0301069 W CN 0301069W WO 2005013558 A1 WO2005013558 A1 WO 2005013558A1
Authority
WO
WIPO (PCT)
Prior art keywords
media gateway
shared key
key
gateway controller
lifetime
Prior art date
Application number
PCT/CN2003/001069
Other languages
French (fr)
Chinese (zh)
Inventor
Kezhi Qiao
Ming Ni
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to EP03779653.9A priority Critical patent/EP1653661B1/en
Priority to ES03779653.9T priority patent/ES2515815T3/en
Priority to AU2003289653A priority patent/AU2003289653A1/en
Priority to US10/566,206 priority patent/US7492899B2/en
Publication of WO2005013558A1 publication Critical patent/WO2005013558A1/en
Priority to US11/566,206 priority patent/US7389408B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • H04L65/1023Media gateways
    • H04L65/103Media gateways in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • H04L65/1033Signalling gateways
    • H04L65/104Signalling gateways in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method for implementing a media gateway authentication using a MEGAC0 / MGCP protocol. Background technique
  • the Media Gateway Control (MEGAC0) protocol is the RFC3015 protocol of the Internet Engineering Task Force (IETF).
  • FIG. 1 shows the system network diagram of the MEGAC0 protocol.
  • the MEGAC0 protocol adopts the concept of a separate gateway, and divides the original signaling and media processing gateway into two parts: a media gateway (Media Gateway, MG for short) and a media gateway controller (Media Gateway Control, MGC).
  • the MGC controls the actions of the MG through the MEGACO protocol:
  • the MGC sends a ⁇ I command to the MG, the MG executes and returns the result, and the media gateway controller MGC must also handle the events reported by the media gateway MG actively. Please call the logic in the MEGACO protocol
  • the relationship is shown through the connection model.
  • the two most basic components in the connection model are the association and the termination point.
  • the relationship between the termination point and the topology relationship is shown.
  • the main commands between the Media Gateway Controller MGC and the Media Gateway MG include
  • SERVICECHANGE register
  • ADD add
  • MODIFY modify
  • SUBTRACT delete
  • NOTIFY notification
  • the media gateway MG is regularly posed with a constant key ⁇ :
  • the same key is used for long-term authentication, which is easy for third parties to crack ;
  • the method of periodic authentication the third party is easy to filter the authentication message to the real M (to enable successful authentication between the media gateway controller MGC and the media gateway MG, and forge other MG messages to initiate a call
  • the gateway controller MGC authenticates the media gateway MG, so the media gateway MG may be called by an illegal media gateway controller MGC to forge messages.
  • the purpose of the present invention is to provide a more complete authentication mechanism for media gateways, which solves the problem that the third party in the traditional MG authentication method is easy to forge the media gateway MG to initiate a call, and it is easy to forge the media gateway controller MGC to call the media gateway MG and the key
  • the problem that may not be solved for a long time can be solved, each call can be authenticated, and the shared key can be changed regularly to effectively prevent illegal forged messages from calling it.
  • the invention is implemented as follows:
  • the invention discloses a method for authenticating a media gateway, which includes: setting an initial key for an initial digital signature of both parties, for the media gateway and the media gateway controller; the media gateway and the media gateway The controller performs signaling communication with the initial key to generate a new shared key with a specific lifetime; the media gateway and the media gateway controller use the new shared key to authenticate calls and responses If the lifetime of the new shared key ends, the media gateway and the media gateway controller update the shared key.
  • the step of generating the shared key further includes: the media gateway initiates registration signaling to the media gateway controller for registration, and the registration signaling carries parameters for generating the shared key and the The digital signature generated by the initial key; after the media gateway controller verifies that the media gateway is legal with the initial key, generating a shared key and setting a lifetime of the shared key; the media gateway controller Initiating a modification command to the media gateway, where the modification command carries parameters for generating a shared key, a digital signature generated from the initial key, and a lifetime of the shared key; the media gateway uses the initial After the key verifies that the media gateway controller is legitimate, a shared key is generated and a lifetime of the shared key is set.
  • the authentication step further includes: the media gateway controller digitally signs each call message to the media gateway with the shared key; and the media gateway uses the shared key to pair the call with each other.
  • the digital signature in the message is used for verification. If it is valid, then Return to the media gateway controller a response message digitally signed with the shared key; the media gateway controller uses the shared key to verify the digital signature in the response message, and if it is valid, then Set up the call, otherwise, reject the call.
  • the step of updating the shared key further includes: the media gateway sends a notification command to the media gateway controller, requesting the media gateway controller to generate a new shared key, and the notification command carries a
  • the media gateway controller uses the initial key to verify that the media gateway is legal, and generates a new shared key and sets the share. Key lifetime; the media gateway controller initiates a modification command to the media gateway, wherein the modification command includes parameters for generating a shared key, a digital signature generated from the initial key, and a shared key
  • the media gateway verifies that the media gateway controller is legal with the initial key, generates a shared key and sets a lifetime of the shared key.
  • the algorithm used by the media gateway controller and the media gateway to generate a shared key is different from the algorithm used by the media gateway controller and the media gateway to generate a digital signature.
  • the transmission of the parameters for generating the shared key and the digital signature can be implemented by extending the fields or packets of the protocol.
  • the lifetime of the shared key may be time or the number of times a new shared key is available for authentication.
  • the beneficial effect of adopting the technical solution of the present invention is that it can not only change the key regularly, but prevent easy authentication with the same key for a long time; it can authenticate each call of the media gateway MG, and solve the problem of filtering messages by a third party.
  • the problem of initiating an illegal call it can also prevent the media gateway MG from completing the call under the control of an illegal media gateway controller MGC.
  • Figure 1 shows the schematic diagram of the MEGAC0 protocol system
  • FIG. 2 is a schematic flowchart of realizing a media gateway gateway right according to the present invention. detailed description
  • the invention discloses a method for media gateway authentication, which includes the following steps:
  • the algorithm for generating a shared key by the media gateway controller and the media gateway, and the algorithm for generating a digital signature by the media gateway controller and the media gateway may adopt an appropriate algorithm according to the needs of the security level.
  • the present invention There is no limitation on the specific algorithm used.
  • the media gateway MG and the media gateway controller MGC are initially provided with a key S for the initial digital signature of the two parties.
  • the key S of the media gateway MG and the media gateway controller MGC may be different, as long as the other party's digital The signature is enough; the transmission of the key and parameters can be realized by extending the MEGAC0 field or the packet.
  • the media gateway MG first initiates registration signaling registration with the media gateway controller MGC, and carries a ⁇ : and a digital signature for generating a shared key.
  • the media gateway controller MGC generates a shared key after it is valid, and sends a modify command to the media gateway MG to generate the shared key parameters, digital signature, and set the shared key lifetime. After receiving the media gateway MG, it verifies that the digital signature is valid and generates Shared key.
  • the media gateway controller MGC and the media gateway MG use the shared key to sign and verify each other's legitimacy before making the call. call.
  • the media gateway controller MGC> ⁇ some keys are invalid; the media gateway MG needs to immediately request the media gateway controller MGC to use the notification command to generate a new shared key and obtain the survival of the new key. period.
  • Figure 2 shows a detailed process of implementing authentication. Set the initial key between MG and MGC to S.
  • the media gateway MG initiates a registration message to the media gateway controller MGC.
  • the message carries the information M for the media gateway controller MGC to generate a shared key, and it also carries a common key S to the public key.
  • the media gateway controller MGC After receiving the message, the media gateway controller MGC uses the key S to verify the digital signature, and if successful, it uses the shared key information M to generate the shared key S ', and responds to the media gateway MG with success;
  • the media gateway controller MGC and the body gateway MG send a modification (MODIFY) message, which carries the information N for the media gateway MG to generate the shared key, and carries the information N for the shared key with the key S or the entire message generation Digital signature with new shared key lifetime:
  • the lifetime can be a time, or the number of times the new shared key can be used for authentication;
  • the media gateway MG After receiving the message, the media gateway MG uses the key S to verify the digital signature. If it succeeds, it uses the shared key information N to generate a shared key, and responds to the media gateway controller MGC.
  • the media gateway controller MGC digitally signs with the new shared key S ';
  • the media gateway MG After receiving the message, the media gateway MG uses the new shared key to verify the digital signature. If the media gateway controller MGCJ successfully proves to be legal, the response to the media gateway controller MGC is also digitally signed with the new shared key. After receiving the media gateway controller MGC, the call is established with the new shared key S 'and the call is established successfully. Otherwise, the call is rejected by the illegal media gateway MG, and the media gateway controller MGC periodically authenticates the media gateway MG. In the same way
  • the media gateway MG reports a notification (N0ITFY) message to the media gateway controller MGC, and the message carries a message for the media gateway controller MGC to generate the shared key.
  • Information with a digital signature generated by the key S to the shared key information NT or the entire message;
  • the media gateway controller MGC digitally signs the key S after receiving the message, and if successful, generates the shared key S using the shared key information, and responds to the media gateway MG with success;
  • the media gateway controller MGC body gateway MG sends a modification (MODIFY) message,
  • the message carries the information N ′ used for the media gateway MG to generate the shared key, and carries the shared key information N ′ with the key S or the digital signature generated by the entire message, and also carries the new shared key lifetime.
  • the media gateway MG uses the shared key information N 'to generate a new shared key and uses the new shared key to authenticate subsequent calls and periodic authentication;
  • the media gateway MG successfully responds to the media gateway controller MGC.

Abstract

The present invention relates to an authentication method for Media Gateway, including the following step: Set up an initial key between the Media Gateway and Media Gateway Controller, for validate the both sides initial digital signature; performs signaling communication between the said Media Gateway and the said Media Gateway Controller by use of the said initial key, to generates a new shared key which have a special lifetime. The said Media Gateway and the said Media Gateway Controller authenticate the call and response using the said new shared key. If the lifetime of the said shared key is finished, then the said Media Gateway and the said Media Gateway Controller updates the said shared key. The invention authenticate each call, update the shared key periodic, prevent calling out illegally effectively.

Description

媒体网关鉴权的方法  Method for media gateway authentication
技术领域 Technical field
本发明涉及通信技术领域, 尤其涉及用 MEGAC0/MGCP协议实现媒体 网关鉴权方法。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a method for implementing a media gateway authentication using a MEGAC0 / MGCP protocol. Background technique
媒体网关控制(Media Gateway Control , MEGAC0) 协议是因特网工 程业务组 (The Internet Engineering Task Force , 简称 IETF)的 RFC3015协议。  The Media Gateway Control (MEGAC0) protocol is the RFC3015 protocol of the Internet Engineering Task Force (IETF).
如图 1所示为实现 MEGAC0协议的系统组网图。 MEGAC0协议采用了分 离网关思想, 将原来信令和媒体集中处理的网关分解为两部分: 媒体网 关(Media Gateway , 简称 MG)和媒体网关控制器(Media Gateway Control ler , 简称 MGC)。 MGC通过 MEGACO协议控制 MG的动作: MGC向 MG发出^ I行的命令, MG执行并将结果返回, 媒体网关控制器 MGC也要 处理媒体网关 MG主动上报所发生的事件请农 MEGACO协议中的逻辑关系 是通过连接模型^^示, 连接模型中两个最基本的构件就是关联和终结 点, 关^^示了终结点之间的连接和拓朴关系。  Figure 1 shows the system network diagram of the MEGAC0 protocol. The MEGAC0 protocol adopts the concept of a separate gateway, and divides the original signaling and media processing gateway into two parts: a media gateway (Media Gateway, MG for short) and a media gateway controller (Media Gateway Control, MGC). The MGC controls the actions of the MG through the MEGACO protocol: The MGC sends a ^ I command to the MG, the MG executes and returns the result, and the media gateway controller MGC must also handle the events reported by the media gateway MG actively. Please call the logic in the MEGACO protocol The relationship is shown through the connection model. The two most basic components in the connection model are the association and the termination point. The relationship between the termination point and the topology relationship is shown.
媒体网关控制器 MGC 和媒体网关 MG 之间的主要命令包括 The main commands between the Media Gateway Controller MGC and the Media Gateway MG include
SERVICECHANGE (注册), ADD (增加), MODIFY (修改), SUBTRACT (删除), NOTIFY (通知)等等。 SERVICECHANGE (register), ADD (add), MODIFY (modify), SUBTRACT (delete), NOTIFY (notification) and so on.
传统的媒体网关鉴权方法, 当媒体网关 MG注册完成后, 通过一个不 变的密钥定期对媒体网关 MG进行姿^: 一方面用同一密钥长时间进行鉴 权, 易于被第三者破解; 另一方面定期鉴权的方法, 第三者易于通过只 把鉴权消息过滤给真正 Μ(¾使媒体网关控制器 MGC和媒体网关 MG之间成 功鉴权, 而伪造其它的 MG消息发起呼叫; 第三, 原有的方法中只有媒体 网关控制器 MGC对媒体网关 MG鉴权, 因此媒体网关 MG有可能被不合法 的媒体网关控制器 MGC伪造消息对其呼叫。 发明内容 In the traditional media gateway authentication method, after the registration of the media gateway MG is completed, the media gateway MG is regularly posed with a constant key ^: On the one hand, the same key is used for long-term authentication, which is easy for third parties to crack ; On the other hand, the method of periodic authentication, the third party is easy to filter the authentication message to the real M (to enable successful authentication between the media gateway controller MGC and the media gateway MG, and forge other MG messages to initiate a call Third, only the media in the original method The gateway controller MGC authenticates the media gateway MG, so the media gateway MG may be called by an illegal media gateway controller MGC to forge messages. Summary of the invention
本发明的目的在于提供一种更加完备的对媒体网关鉴权机制, 解决 传统 MG鉴权方法中第三者易于伪造媒体网关 MG发起呼叫、 易于伪造媒 体网关控制器 MGC呼叫媒体网关 MG以及密钥长时间不变可能^破解的 问题, 能对每个呼叫都进行鉴权, 能定期更换共享密钥, 有效防止不合 法的伪造消息对其呼叫。  The purpose of the present invention is to provide a more complete authentication mechanism for media gateways, which solves the problem that the third party in the traditional MG authentication method is easy to forge the media gateway MG to initiate a call, and it is easy to forge the media gateway controller MGC to call the media gateway MG and the key The problem that may not be solved for a long time can be solved, each call can be authenticated, and the shared key can be changed regularly to effectively prevent illegal forged messages from calling it.
本发明是这样实现的:  The invention is implemented as follows:
本发明公开了一种媒体网关鉴权的方法, 包括: 为媒体网关和媒体 网关控制器之间设定一个用于 ji iE双方初始数字签名的初始密钥; 所述 媒体网关和所述媒体网关控制器用所述初始密钥进行信令通信, 以生成 新的具有特定生存期的共享密钥; 所述媒体网关和所述媒体网关控制器 用所述新的共享密钥对呼叫和应答进行鉴权; 若所述新的共享密钥的生 存期结束, 则所述媒体网关和所述媒体网关控制器更新所述共享密钥。  The invention discloses a method for authenticating a media gateway, which includes: setting an initial key for an initial digital signature of both parties, for the media gateway and the media gateway controller; the media gateway and the media gateway The controller performs signaling communication with the initial key to generate a new shared key with a specific lifetime; the media gateway and the media gateway controller use the new shared key to authenticate calls and responses If the lifetime of the new shared key ends, the media gateway and the media gateway controller update the shared key.
优选地, 所迷生成共享密钥的步骤进一步包括: 所述媒体网关向所 述媒体网关控制器发起注册信令进行注册, 所述注册信令中带有用于生 成共享密钥的参数及由所述初始密钥生成的数字签名; 所述媒体网关控 制器用所述初始密钥验证所述媒体网关合法后, 生成共享密钥并设定所 述共享密钥的生存期; 所述媒体网关控制器对所述媒体网关发起修改命 令, 所述修改命令中带有用于生成共享密钥的参数、 由所述初始密钥生 成的数字签名及共享密钥的生存期; 所述媒体网关用所述初始密钥验证 所述媒体网关控制器合法后, 生成共享密钥并设定所述共享密钥的生存 期。  Preferably, the step of generating the shared key further includes: the media gateway initiates registration signaling to the media gateway controller for registration, and the registration signaling carries parameters for generating the shared key and the The digital signature generated by the initial key; after the media gateway controller verifies that the media gateway is legal with the initial key, generating a shared key and setting a lifetime of the shared key; the media gateway controller Initiating a modification command to the media gateway, where the modification command carries parameters for generating a shared key, a digital signature generated from the initial key, and a lifetime of the shared key; the media gateway uses the initial After the key verifies that the media gateway controller is legitimate, a shared key is generated and a lifetime of the shared key is set.
优选地, 所述鉴权步骤进一步包括: 所述媒体网关控制器用所述共 享密钥在每次对媒体网关的呼叫消息中进行数字签名; 所述媒体网关用 所述共享密钥对所述呼叫消息中的所述数字签名进行验证, 若合法, 则 返回给所述媒体网关控制器带有用所述共享密钥数字签名的应答消息; 所述媒体网关控制器用所述共享密钥对所述应答消息中的所述数字签名 进行验证, 若合法, 则建立呼叫, 否则, 拒绝此次呼叫。 Preferably, the authentication step further includes: the media gateway controller digitally signs each call message to the media gateway with the shared key; and the media gateway uses the shared key to pair the call with each other. The digital signature in the message is used for verification. If it is valid, then Return to the media gateway controller a response message digitally signed with the shared key; the media gateway controller uses the shared key to verify the digital signature in the response message, and if it is valid, then Set up the call, otherwise, reject the call.
优选地, 所述更新共享密钥的步骤进一步包括: 所述媒体网关向所 述媒体网关控制器发送通知命令, 请求所述媒体网关控制器生成新的共 享密钥, 所述通知命令中带有用于生成共享密钥的参数和由所述初始密 钥生成的数字签名; 所述媒体网关控制器用所述初始密钥验证所述媒体 网关合法后, 生成新的共享密钥并设定所述共享密钥的生存期; 所述媒 体网关控制器对所述媒体网关发起修改命令, 所述修改命令中带有用于 生成共享密钥的参数、 由所述初始密钥生成的数字签名及共享密钥的生 存期; 所述媒体网关用所述初始密钥验证所述媒体网关控制器合法后, 生成共享密钥并设定所述共享密钥的生存期。  Preferably, the step of updating the shared key further includes: the media gateway sends a notification command to the media gateway controller, requesting the media gateway controller to generate a new shared key, and the notification command carries a After generating a shared key parameter and a digital signature generated by the initial key, the media gateway controller uses the initial key to verify that the media gateway is legal, and generates a new shared key and sets the share. Key lifetime; the media gateway controller initiates a modification command to the media gateway, wherein the modification command includes parameters for generating a shared key, a digital signature generated from the initial key, and a shared key After the media gateway verifies that the media gateway controller is legal with the initial key, generates a shared key and sets a lifetime of the shared key.
优选地, 所述媒体网关控制器和所述媒体网关生成共享密钥采用的 算法与所述媒体网关控制器和所述媒体网关生成数字签名的算法为不同 的算法。  Preferably, the algorithm used by the media gateway controller and the media gateway to generate a shared key is different from the algorithm used by the media gateway controller and the media gateway to generate a digital signature.
优选地, 所述生成共享密钥的参数和数字签名的传送可以通过扩展 协议的字段或包来实现。  Preferably, the transmission of the parameters for generating the shared key and the digital signature can be implemented by extending the fields or packets of the protocol.
优 ^地, 所述共享密钥的生存期可以是时间, 也可以是新的共享密 钥可用于鉴权的次数。  Preferably, the lifetime of the shared key may be time or the number of times a new shared key is available for authentication.
采用本发明技术方案的有益效果, 不仅能够定期更换密钥, 防止长 时间用同一密钥鉴权易于被破解; 能够对媒体网关 MG 的每一个呼叫 进行鉴权, 解决了第三者通过过滤消息发起非法呼叫的问题; 还能够防 止媒体网关 MG被不合法的媒体网关控制器 MGC控制完成呼叫。 附图说明  The beneficial effect of adopting the technical solution of the present invention is that it can not only change the key regularly, but prevent easy authentication with the same key for a long time; it can authenticate each call of the media gateway MG, and solve the problem of filtering messages by a third party. The problem of initiating an illegal call; it can also prevent the media gateway MG from completing the call under the control of an illegal media gateway controller MGC. BRIEF DESCRIPTION OF THE DRAWINGS
图 1示出了 MEGAC0协议系统的原理图;  Figure 1 shows the schematic diagram of the MEGAC0 protocol system;
图 2示出了本发明实现媒体关网关婆权的流程示意图。 具体实施方式 FIG. 2 is a schematic flowchart of realizing a media gateway gateway right according to the present invention. detailed description
本发明公开了一种媒体网关鉴权的方法, 包括以下步骤:  The invention discloses a method for media gateway authentication, which includes the following steps:
设定媒体网关 MG和媒体网关控制器 MGC之间生成共享密钥采用的算 法为 y=f i (x) ,设定 MG和 MGC之间生成数字签名采用的算法为 y=f 2 (x); 所述媒体网关控制器和所述媒体网关生成共享密钥的算法, 以及所述媒 体网关控制器和所述媒体网关生成数字签名的算法, 可以根据安全級别 的需要而采用合适算法, 本发明对具体所用的算法不做限定。 Set the algorithm used to generate the shared key between the media gateway MG and the media gateway controller MGC as y = fi (x), and set the algorithm used to generate the digital signature between the MG and MGC as y = f 2 (x); The algorithm for generating a shared key by the media gateway controller and the media gateway, and the algorithm for generating a digital signature by the media gateway controller and the media gateway, may adopt an appropriate algorithm according to the needs of the security level. The present invention There is no limitation on the specific algorithm used.
媒体网关 MG和媒体网关控制器 MGC之间初始配有一个用于¾£双方 初始数字签名的密钥 S, 媒体网关 MG和媒体网关控制器 MGC的密钥 S可 以不同, 只要能验证对方的数字签名即可; 密钥及参数的传送可以通过 扩展 MEGAC0字段或包来实现。  The media gateway MG and the media gateway controller MGC are initially provided with a key S for the initial digital signature of the two parties. The key S of the media gateway MG and the media gateway controller MGC may be different, as long as the other party's digital The signature is enough; the transmission of the key and parameters can be realized by extending the MEGAC0 field or the packet.
媒体网关 MG首先向媒体网关控制器 MGC发起注册信令注册, 并带有 生成共享密钥的^:及数字签名。 媒体网关控制器 MGC 合法后生成 共享密钥,用修改命令发送给媒体网关 MG生成共享密钥的参数、 数字签 名及设定共享密钥生存期, 媒体网关 MG收到后验证数字签名合法将生成 共享密钥。  The media gateway MG first initiates registration signaling registration with the media gateway controller MGC, and carries a ^: and a digital signature for generating a shared key. The media gateway controller MGC generates a shared key after it is valid, and sends a modify command to the media gateway MG to generate the shared key parameters, digital signature, and set the shared key lifetime. After receiving the media gateway MG, it verifies that the digital signature is valid and generates Shared key.
在后续的媒体网关控制器 MGC和媒体网关 MG之间的每一个呼叫建立 及应答的消息中,媒体网关控制器 MGC和媒体网关 MG用共享密钥进行签 名, 相互验证合法后进行呼叫, 否则拒绝呼叫。  In the subsequent messages for the establishment and response of each call between the media gateway controller MGC and the media gateway MG, the media gateway controller MGC and the media gateway MG use the shared key to sign and verify each other's legitimacy before making the call. call.
当共享密钥生存期结束以后, 媒体网关控制器 MGC >ί 、有的密钥无 效; 媒体网关 MG需立刻用通知命令请求媒体网关控制器 MGC生成新的共 享密钥及获取新密钥的生存期。  When the shared key lifetime expires, the media gateway controller MGC> ί, some keys are invalid; the media gateway MG needs to immediately request the media gateway controller MGC to use the notification command to generate a new shared key and obtain the survival of the new key. period.
如此不断变化密钥并用新的密钥对呼叫鉴权。  This keeps changing keys and uses the new keys to authenticate calls.
下面将结合附图, 举例说明本发明的一个实施的方式。  An embodiment of the present invention will be described below with reference to the drawings.
图 2所示的一种实现 鉴权的详细过程。 设定 MG和 MGC之间的初 始密钥为 S。  Figure 2 shows a detailed process of implementing authentication. Set the initial key between MG and MGC to S.
201) 媒体网关 MG向媒体网关控制器 MGC发起注册消息, 消息中带 有用于媒体网关控制器 MGC生成共享密钥的信息 M,并带有用密钥 S对共 享密钥的信息 M或注册消息生成的数字签名; 201) The media gateway MG initiates a registration message to the media gateway controller MGC. The message carries the information M for the media gateway controller MGC to generate a shared key, and it also carries a common key S to the public key. The shared key information M or the digital signature generated by the registration message;
202)媒体网关控制器 MGC收到该消息后用密钥 S验证数字签名, 如 果成功则用共享密钥的信息 M生成共享密钥 S',并给媒体网关 MG应答成 功;  202) After receiving the message, the media gateway controller MGC uses the key S to verify the digital signature, and if successful, it uses the shared key information M to generate the shared key S ', and responds to the media gateway MG with success;
203) 媒体网关控制器 MGC 体网关 MG发修改(MODIFY )消息, 消息中带有用于媒体网关 MG生成共享密钥的信息 N, 并带有用密钥 S对 共享密钥的信息 N或整个消息生成的数字签名, 同时还带有新的共享密 钥生存期: 生存期可以是一个时间, 也可以是新的共享密钥可用于鉴权 的次数;  203) The media gateway controller MGC and the body gateway MG send a modification (MODIFY) message, which carries the information N for the media gateway MG to generate the shared key, and carries the information N for the shared key with the key S or the entire message generation Digital signature with new shared key lifetime: The lifetime can be a time, or the number of times the new shared key can be used for authentication;
204) 媒体网关 MG收到该消息后用密钥 S验证数字签名, 如果成功 则用共享密钥的信息 N生成共享密钥 , 并给媒体网关控制器 MGC应答 成功;  204) After receiving the message, the media gateway MG uses the key S to verify the digital signature. If it succeeds, it uses the shared key information N to generate a shared key, and responds to the media gateway controller MGC.
205) 在以后的每次呼叫建立的某个消息(比如 ADD )中, 媒体网关 控制器 MGC用新的共享密钥 S'进行数字签名;  205) In a certain message (such as ADD) established for each subsequent call, the media gateway controller MGC digitally signs with the new shared key S ';
206) 媒体网关 MG收到该消息后用新的共享密钥 验证数字签名, 如果成功证明是合法的媒体网关控制器 MGCJ对媒体网关控制器 MGC的应 答也用新的共享密钥 进行数字签名, 媒体网关控制器 MGC收到后用新 的共享密钥 S'验证成功后建立呼叫, 否则为非法的媒体网关 MG, 拒绝该 呼叫; 在媒体网关控制器 MGC对媒体网关 MG的定期鉴权中也用同样的方 法;  206) After receiving the message, the media gateway MG uses the new shared key to verify the digital signature. If the media gateway controller MGCJ successfully proves to be legal, the response to the media gateway controller MGC is also digitally signed with the new shared key. After receiving the media gateway controller MGC, the call is established with the new shared key S 'and the call is established successfully. Otherwise, the call is rejected by the illegal media gateway MG, and the media gateway controller MGC periodically authenticates the media gateway MG. In the same way
207) 当媒体网关控制器 MGC设定的共享密钥生存期结束后, 媒体网 关 MG向媒体网关控制器 MGC上报通知 ( N0ITFY )消息, 消息中带有用于 媒体网关控制器 MGC生成共享密钥的信息 , 并带有用密钥 S对共享密 钥的信息 NT或整个消息生成的数字签名;  207) When the lifetime of the shared key set by the media gateway controller MGC ends, the media gateway MG reports a notification (N0ITFY) message to the media gateway controller MGC, and the message carries a message for the media gateway controller MGC to generate the shared key. Information, with a digital signature generated by the key S to the shared key information NT or the entire message;
208)媒体网关控制器 MGC收该消息后用密钥 S 数字签名, 如果 成功则用共享密钥的信息 生成共享密钥 S , 并给媒体网关 MG应答成 功;  208) The media gateway controller MGC digitally signs the key S after receiving the message, and if successful, generates the shared key S using the shared key information, and responds to the media gateway MG with success;
209) 媒体网关控制器 MGC 体网关 MG发修改(MODIFY )消息, 消息中带有用于媒体网关 MG生成共享密钥的信息 N', 并带有用密钥 S 对共享密钥的信息 N'或整个消息生成的数字签名, 同时还带有新的共享 密钥生存期; 媒体网关 MG用共享密钥的信息 N'生成新的共享密钥 并用新的共享密钥 对后续呼叫鉴权及定期鉴权; 209) the media gateway controller MGC body gateway MG sends a modification (MODIFY) message, The message carries the information N ′ used for the media gateway MG to generate the shared key, and carries the shared key information N ′ with the key S or the digital signature generated by the entire message, and also carries the new shared key lifetime. ; The media gateway MG uses the shared key information N 'to generate a new shared key and uses the new shared key to authenticate subsequent calls and periodic authentication;
210)媒体网关 MG给媒体网关控制器 MGC成功的应答。  210) The media gateway MG successfully responds to the media gateway controller MGC.
新的共享密钥 生存期到后再重复 207)—210)步骤生成新的共享 密钥 S' ' ' , 依次类推。 权的方法进行了特别描述, 本领域技术人员将能理解, 在不偏离本发明 的范围和精神的情况下, 可以对它进行形式和细节的种种显而易见的修 改。 例如, 由于 MEGAC0协议和 MGCP协议的相似性, 本法的技术方案的 实质内同对于使用 MGCP协议实现媒体网关鉴权同样适用。 因此, 以上描 述的实施例是说明性的而不是限制性的, 在不脱离本发明的精神和范围 的情况下, 所有的变化和修改都在本发明的范围之内。  After the new shared key lifetime expires, repeat steps 207) -210) to generate new shared key S '' ', and so on. The right method is specifically described, and those skilled in the art will understand that various obvious modifications in form and detail can be made thereto without departing from the scope and spirit of the invention. For example, due to the similarities between the MEGAC0 protocol and the MGCP protocol, the substance of the technical solution of this law is equally applicable to the implementation of media gateway authentication using the MGCP protocol. Therefore, the embodiments described above are illustrative and not restrictive, and all variations and modifications are within the scope of the invention without departing from the spirit and scope of the invention.

Claims

权利要求 Rights request
1, 一种媒体网关鉴权的方法, 其特征在于, 该方法包括: 为媒体网关和媒体网关控制器之间设定一个用于 双方初始数字 签名的初始密钥;  1. A method of media gateway authentication, characterized in that the method includes: setting an initial key for the media gateway and a media gateway controller for an initial digital signature of both parties;
所述媒体网关和所述媒体网关控制器用所述初始密钥进行信令通 信, 以生成新的具有特定生存期的共享密钥;  The media gateway and the media gateway controller perform signaling communication with the initial key to generate a new shared key with a specific lifetime;
所述媒体网关和所述媒体网关控制器用所述新的共享密钥对呼叫和 应答进行鉴权;  The media gateway and the media gateway controller use the new shared key to authenticate calls and responses;
若所述新的共享密钥的生存期结束, 则所述媒体网关和所述媒体网 关控制器更新所述共享密钥。  If the lifetime of the new shared key ends, the media gateway and the media gateway controller update the shared key.
2. 如权利要求 1所述的方法, 其特征在于, 所述生成共享密钥的步 骤进一步包括:  2. The method according to claim 1, wherein the step of generating a shared key further comprises:
所述媒体网关向所述媒体网关控制器发起注册信令进行注册, 所述 注册信令中带有用于生成共享密钥的参数及由所述初始密钥生成的数字 签名;  The media gateway initiates registration signaling to the media gateway controller for registration, where the registration signaling carries parameters for generating a shared key and a digital signature generated from the initial key;
所述媒体网关控制器用所述初始密钥验证所述媒体网关合法后, 生 成共享密钥并设定所述共享密钥的生存期;  After the media gateway controller verifies that the media gateway is legal by using the initial key, generating a shared key and setting a lifetime of the shared key;
所述媒体网关控制器对所述媒体网关发起修改命令, 所述修改命令 中带有用于生成共享密钥的参数、 由所述初始密钥生成的数字签名及共 享密钥的生存期;  The media gateway controller initiates a modification command to the media gateway, where the modification command carries parameters for generating a shared key, a digital signature generated from the initial key, and a lifetime of the shared key;
所述媒体网关用所述初始密钥验证所述媒体网关控制器合法后, 生 成共享密钥并设定所述共享密钥的生存期。  After the media gateway verifies that the media gateway controller is legal with the initial key, it generates a shared key and sets a lifetime of the shared key.
3. 如权利要求 1所述的方法, 其特征在于, 所述鉴权步驟进一步包 括:  3. The method according to claim 1, wherein the authentication step further comprises:
所述媒体网关控制器用所述共享密钥在每次对媒体网关的呼叫消息 中进行数字签名;  The media gateway controller digitally signs each call message to the media gateway with the shared key;
所述媒体网关用所述共享密钥对所述呼叫消息中的所述数字签名进 行验证, 若合法, 则返回给所述媒体网关控制器带有用所述共享密钥数 字签名的应答消息; The media gateway uses the shared key to verify the digital signature in the call message, and if it is valid, returns it to the media gateway controller with the number of shared keys. Word signed reply message;
所述媒体网关控制器用所述共享密钥对所述应答消息中的所述数字 签名进行验证, 若合法, 则建立呼叫, 否则, 拒绝此次呼叫。  The media gateway controller uses the shared key to verify the digital signature in the response message, and if it is valid, establishes a call, otherwise rejects the call.
4. 如权利要求 1所述的方法, 其特征在于, 所述更新共享密钥的步 驟进一步包括:  4. The method according to claim 1, wherein the step of updating the shared key further comprises:
所述媒体网关向所述媒体网关控制器发送通知命令, 请求所述媒体 网关控制器生成新的共享密钥, 所述通知命令中带有用于生成共享密钥 的参数和由所述初始密钥生成的数字签名;  The media gateway sends a notification command to the media gateway controller, requesting the media gateway controller to generate a new shared key, and the notification command includes a parameter for generating a shared key and the initial key. Generated digital signature;
所述媒体网关控制器用所述初始密钥 所述媒体网关合法后, 生 成新的共享密钥并设定所述共享密钥的生存期;  After the media gateway controller uses the initial key and the media gateway is valid, it generates a new shared key and sets a lifetime of the shared key;
所述媒体网关控制器对所迷媒体网关发起修改命令, 所述修改命令 中带有用于生成共享密钥的参数、 由所述初始密钥生成的数字签名及共 享密钥的生存期;  The media gateway controller initiates a modification command to the lost media gateway, where the modification command carries parameters for generating a shared key, a digital signature generated from the initial key, and a lifetime of the shared key;
所述媒体网关用所述初始密钥验证所述媒体网关控制器合法后, 生 成共享密钥并设定所述共享密钥的生存期。  After the media gateway verifies that the media gateway controller is legal with the initial key, it generates a shared key and sets a lifetime of the shared key.
5. 如权利要求 2、 3或 4所述的方法, 其特征在于, 所述媒体网关 控制器和所述媒体网关生成共享密钥采用的算法与所述媒体网关控制器 和所述媒体网关生成数字签名的算法为不同的算法。  5. The method according to claim 2, 3, or 4, wherein: the algorithm used by the media gateway controller and the media gateway to generate a shared key is generated by the media gateway controller and the media gateway. Digital signature algorithms are different algorithms.
6. 如权利要求 2、 3或 4所述的方法, 其特征在于, 所述生成共享 密钥的参数和数字签名的传送可以通过扩展协议的字段或包来实现。  6. The method according to claim 2, 3 or 4, characterized in that the transmission of the parameters for generating the shared key and the digital signature can be implemented by fields or packets of the extended protocol.
7. 如权利要求 1所述的方法, 其特征在于, 所述共享密钥的生存期 可以是时间, 也可以是新的共享密钥可用于鉴权的次数。  7. The method according to claim 1, wherein the lifetime of the shared key can be time or the number of times a new shared key can be used for authentication.
PCT/CN2003/001069 2003-08-05 2003-12-16 Authentication method for medic gateway WO2005013558A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
EP03779653.9A EP1653661B1 (en) 2003-08-05 2003-12-16 Authentication method for medic gateway
ES03779653.9T ES2515815T3 (en) 2003-08-05 2003-12-16 Authentication method for medical gateway
AU2003289653A AU2003289653A1 (en) 2003-08-05 2003-12-16 Authentication method for medic gateway
US10/566,206 US7492899B2 (en) 2003-08-05 2003-12-16 Authentication method for media gateway
US11/566,206 US7389408B1 (en) 2003-08-05 2006-12-01 Microarchitecture for compact storage of embedded constants

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN03149767.5A CN1286306C (en) 2003-08-05 2003-08-05 Media gate link right discriminating method
CN03149767.5 2003-08-05

Publications (1)

Publication Number Publication Date
WO2005013558A1 true WO2005013558A1 (en) 2005-02-10

Family

ID=34109573

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2003/001069 WO2005013558A1 (en) 2003-08-05 2003-12-16 Authentication method for medic gateway

Country Status (7)

Country Link
US (1) US7492899B2 (en)
EP (1) EP1653661B1 (en)
CN (1) CN1286306C (en)
AU (1) AU2003289653A1 (en)
ES (1) ES2515815T3 (en)
PT (1) PT1653661E (en)
WO (1) WO2005013558A1 (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1275419C (en) * 2002-10-18 2006-09-13 华为技术有限公司 Network safety authentication method
CN100384251C (en) * 2004-08-02 2008-04-23 华为技术有限公司 User authorization method and its authorization system
CN1992706A (en) * 2005-12-26 2007-07-04 华为技术有限公司 Method for adjusting statistical parameter value in media gateway
ATE524006T1 (en) * 2007-06-11 2011-09-15 Fts Computertechnik Gmbh METHOD AND ARCHITECTURE FOR SECURING REAL-TIME DATA
EP2262214A1 (en) * 2008-04-21 2010-12-15 NEC Corporation Ims system, as device and mgw device, and method of notifying regulation on congestion in ims system
CN102812681B (en) 2010-02-11 2015-04-15 华为技术有限公司 Media stream transmission key operating method, apparatus and system
CN102202389B (en) * 2010-03-25 2016-03-30 中兴通讯股份有限公司 A kind of method and system gateway being realized to management
CN102215560B (en) * 2010-04-08 2015-06-10 中兴通讯股份有限公司 Method and system for managing M2M (machine to machine) terminal
US8555332B2 (en) 2010-08-20 2013-10-08 At&T Intellectual Property I, L.P. System for establishing communications with a mobile device server
US8438285B2 (en) 2010-09-15 2013-05-07 At&T Intellectual Property I, L.P. System for managing resources accessible to a mobile device server
US8478905B2 (en) 2010-10-01 2013-07-02 At&T Intellectual Property I, Lp System for synchronizing to a mobile device server
US8989055B2 (en) 2011-07-17 2015-03-24 At&T Intellectual Property I, L.P. Processing messages with a device server operating in a telephone
US8443420B2 (en) 2010-10-01 2013-05-14 At&T Intellectual Property I, L.P. System for communicating with a mobile device server
US8610546B2 (en) 2010-10-01 2013-12-17 At&T Intellectual Property I, L.P. System for selecting resources accessible to a mobile device server
US8516039B2 (en) 2010-10-01 2013-08-20 At&T Intellectual Property I, L.P. Apparatus and method for managing mobile device servers
US8504449B2 (en) 2010-10-01 2013-08-06 At&T Intellectual Property I, L.P. Apparatus and method for managing software applications of a mobile device server
US9392316B2 (en) 2010-10-28 2016-07-12 At&T Intellectual Property I, L.P. Messaging abstraction in a mobile device server
US9066123B2 (en) 2010-11-30 2015-06-23 At&T Intellectual Property I, L.P. System for monetizing resources accessible to a mobile device server
CN103685353A (en) * 2012-09-05 2014-03-26 中兴通讯股份有限公司 Method and device for managing terminal through gateway
US9462332B2 (en) 2012-12-05 2016-10-04 At&T Intellectual Property I, L.P. Method and apparatus for controlling a media device
CN103560875B (en) * 2013-08-27 2016-08-17 兴唐通信科技有限公司 Designated lane cryptographic key negotiation method based on H.248 agreement and device
JP2015186249A (en) * 2014-03-26 2015-10-22 沖電気工業株式会社 Communication system, session controller, and transfer controller
US11223473B2 (en) * 2019-02-01 2022-01-11 EMC IP Holding Company LLC Client-driven shared secret updates for client authentication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1308472A (en) * 2000-02-09 2001-08-15 朗迅科技公司 Cipher key refreshing method and device by using refreshing cipher key
WO2002054201A2 (en) * 2000-12-29 2002-07-11 Intel Corporation System and method for providing authentication and verification services in an enhanced media gateway
CN1411224A (en) * 2001-09-29 2003-04-16 华为技术有限公司 Safe identification method of PC customer's terminal

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7089211B1 (en) * 2000-01-12 2006-08-08 Cisco Technology, Inc. Directory enabled secure multicast group communications
CA2417922C (en) * 2000-08-04 2013-03-12 Lynn Henry Wheeler Person-centric account-based digital signature system
EP1318683A1 (en) * 2001-12-10 2003-06-11 Siemens Aktiengesellschaft Method to transmit signalling messages and associated device, signalling message and program
US20060274899A1 (en) * 2005-06-03 2006-12-07 Innomedia Pte Ltd. System and method for secure messaging with network address translation firewall traversal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1308472A (en) * 2000-02-09 2001-08-15 朗迅科技公司 Cipher key refreshing method and device by using refreshing cipher key
WO2002054201A2 (en) * 2000-12-29 2002-07-11 Intel Corporation System and method for providing authentication and verification services in an enhanced media gateway
CN1411224A (en) * 2001-09-29 2003-04-16 华为技术有限公司 Safe identification method of PC customer's terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1653661A4 *

Also Published As

Publication number Publication date
EP1653661A4 (en) 2012-01-04
US7492899B2 (en) 2009-02-17
EP1653661B1 (en) 2014-07-30
US20060236101A1 (en) 2006-10-19
PT1653661E (en) 2014-10-22
EP1653661A1 (en) 2006-05-03
CN1581858A (en) 2005-02-16
ES2515815T3 (en) 2014-10-30
CN1286306C (en) 2006-11-22
AU2003289653A1 (en) 2005-02-15

Similar Documents

Publication Publication Date Title
WO2005013558A1 (en) Authentication method for medic gateway
JP5651313B2 (en) SIP signaling that does not require continuous re-authentication
US7813509B2 (en) Key distribution method
CN111262692B (en) Key distribution system and method based on block chain
US6892308B1 (en) Internet protocol telephony security architecture
WO2006000144A1 (en) The session initial protocol identification method
US20030014668A1 (en) Mechanism to allow authentication of terminated SIP calls
WO2007009343A1 (en) Access authorization system of communication network and method thereof
US8923279B2 (en) Prevention of voice over IP spam
JP2007006154A (en) Communication system and session establishing method
TWI456962B (en) Authentication system and method
WO2007076720A1 (en) A control method and decive of media resource
CN110572819B (en) Block chain-based multi-domain wireless Mesh network cross-domain authentication method and system
WO2021031741A1 (en) Voip processing method, device, and terminal
US7591013B2 (en) System and method for client initiated authentication in a session initiation protocol environment
JP4778282B2 (en) Communication connection method, system, and program
EP2809042A1 (en) Method for authenticate a user associated to a user agent implemented over SIP protocol
WO2012003689A9 (en) Distributed dynamic key management methods and apparatuses
DE60300912D1 (en) Procedure for managing the security of Border Gateway Protocol messages
CN1881870A (en) Method for safety communication between devices
JP2004509567A (en) Internet Protocol Telephony Security Architecture
WO2010115322A1 (en) Method and system for joining group session with pre-defined joining
CA2461418C (en) Method and device for implementing a firewall application for communication data
CN103200200A (en) Illegal dialing prevention method of SIP terminal and SIP server
JP2006229699A (en) System for providing session control service

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2003779653

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003779653

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2006236101

Country of ref document: US

Ref document number: 10566206

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 10566206

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: JP